CVE-2023-32314
Sandbox Escape vulnerability in vm2 (npm)
What is CVE-2023-32314 About?
This vulnerability affects vm2 versions up to 3.9.17 and allows attackers to bypass sandbox protections, leading to remote code execution on the host. The flaw stems from an unexpected creation of a host object related to the `Proxy` specification, making exploitation moderately complex but highly impactful. A successful attack can lead to full system compromise.
Affected Software
Technical Details
The vm2 sandbox environment, in versions prior to 3.9.18, is vulnerable to a sandbox escape due to an unexpected creation of a host object. This flaw is rooted in how the Proxy specification is handled, allowing an attacker to manipulate the JavaScript environment within the sandbox to gain access to the underlying Node.js runtime. By crafting specific code that interacts with Proxy objects in an unforeseen way, the attacker can break out of the virtualized environment and execute commands directly on the host operating system, effectively negating the security benefits of the sandbox.
What is the Impact of CVE-2023-32314?
Successful exploitation may allow attackers to bypass sandbox protections and execute arbitrary code on the underlying host system, leading to complete system compromise.
What is the Exploitability of CVE-2023-32314?
Exploitation of this sandbox escape vulnerability is likely complex, requiring a deep understanding of JavaScript engines, vm2's internal mechanisms, and the Proxy specification. The prerequisites involve the ability to execute code within the vm2 sandbox environment. There are no explicit authentication or privilege requirements to exploit the escape itself, assuming code execution within the sandbox is already achieved. While the initial code execution might be local to the sandbox, the escape allows for remote code execution on the host, making it a remote attack if the sandbox itself is exposed remotely. Special conditions involve crafting specific code that abuses the Proxy object interaction. Risk factors include any application that executes untrusted JavaScript code within vm2 without the updated patch.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| AdarkSt | Link | This Repository Includes Kubernetes manifest files for configuration of Honeypot system and Falco IDS in K8s environment. There are also Demo Application written with Node.js which is containing... |
What are the Available Fixes for CVE-2023-32314?
About the Fix from Resolved Security
This patch introduces wrappers around Proxy creation and handler functions to sanitize and control arguments, effectively preventing prototype pollution and insecure handler tampering. By ensuring that Proxy handlers and arguments are safely contained and proxied, it mitigates the attack vector exploited in CVE-2023-32314, which allowed attackers to escape the sandbox by manipulating Proxy objects.
Available Upgrade Options
- vm2
- <3.9.18 → Upgrade to 3.9.18
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://gist.github.com/arkark/e9f5cf5782dec8321095be3e52acf5ac
- https://github.com/patriksimek/vm2/security/advisories/GHSA-whpj-8f3w-67p5
- https://github.com/patriksimek/vm2/releases/tag/3.9.18
- https://nvd.nist.gov/vuln/detail/CVE-2023-32314
- https://osv.dev/vulnerability/GHSA-whpj-8f3w-67p5
- https://github.com/patriksimek/vm2
- https://github.com/patriksimek/vm2/releases/tag/3.9.18
- https://github.com/patriksimek/vm2/security/advisories/GHSA-whpj-8f3w-67p5
- https://gist.github.com/arkark/e9f5cf5782dec8321095be3e52acf5ac
- https://github.com/patriksimek/vm2/commit/d88105f99752305c5b8a77b63ddee3ec86912daf
What are Similar Vulnerabilities to CVE-2023-32314?
Similar Vulnerabilities: CVE-2022-36067 , CVE-2022-36068 , CVE-2022-36069 , CVE-2022-36070 , CVE-2022-36071
